Online Data Surveillance: Implied Consent, Actualized Vulnerability

A 2008 Carnegie Mellon study determined that if we performed an annual review of the lengthy privacy policies girding our Internet activity, the sacrifice for our efforts would be $365 billion in lost productivity. This calculation speaks to the imbalanced core of our relationship with for-profit communications technology: they provide quick means to satiate our limbic socialization needs, and in exchange, we cede bits of our autonomy over a long, data-mined period of time. This paper will explore the consequences of communication companies' failure to give legal notice -- and consumers' inertia in taking notice -- of their constant surveillance.

The Problem of Implied Consent

Our class lectures stressed a dire message that "privacy is dead." We learned about the technological underpinnings of surveillance and encryption, but from a black letter legal standpoint, this death knell sounded in uncertain tones. Not personally knowing the black letter law of privacy, I needed to press this conclusion by understanding which relevant statute(s) exist, the context in which they were enacted, and their current application today. (Un)fortunately, my own research confirmed this in-class warning:

The primary federal privacy statute is the Electronic Privacy Communications Act of 1986. The original intent in enacting EPCA was to impose criminal penalties for unauthorized wiretapping. EPCA's massiveness can be broken down into three main areas of protection, as it:

Part I: "protects wire, oral, and electronic communications while in transit" from "intentional" interception (Wikipedia).

Part III: "prohibits the use of pen register and/or trap and trace devices to record dialing, routing, addressing, and signalling information used in the process of transmitting wire or electronic communications without a court order" (Wikipedia).

The problem with EPCA is that was enacted before the Internet became a societal reality. Prior to the Internet era, a reasonable expectation of privacy could be understood and created in tangible terms: lock the doors to your home, and keep your personal files in a locked filing cabinet. But today, if one lacks an understanding of how computerized data transmission works, it is difficult to translate those tangible terms of privacy from manual to digital, from physical keys to third-party cookies.

How does the government take advantage of this gap in privacy cognition? A DOJ slideshow summarizes the government's post-9/11 stance on ECPA: the government can electronically surveil under the color of a broad Fourth Amendment exception (the Fourth Amendment authorizes warrantless search by officials, so long as it is predicated on an official's reasonable suspicion or fear). The government also seizes upon the fact that persons can consent to warrantless search. In their own words, consent "may be implied through 'login banner' or 'terms of service'" (Slide 19).

Taking Notice On Our Own

Waiting for the law to catch up with technology appears to be a hopelessly convoluted pursuit. In the meantime, we as individuals can take a moment to stand up for our own digital autonomy. A few ideas:

Campaign to Resurrect Warrants

Pressure the FTC

We could treat the to-date invasions of privacy as a massive tort and impose civil damages. For instance, a certain portion of the revenues that $100B-valuated Facebook gained from its aggregation of “implied consent” data should be reallocated to our public school systems. We could hope that the FTC follows through with its threat to fine Facebook $16,000 per day unless it curbs its deceptive data practices. We could urge the FTC to take similar actions against Carrier IQ and other implied consent services.

"LeechBlock" Facebook

We could reflect on the social pressures imposed by the launch of Facebook's new Timeline. As it starts rolling out to users, many are scrambling to delete photos, status updates, and other content bubbling up from college years' past. As the Associated Press quips, "if something's not on Facebook, it didn't happen."

How much time does it take to go through 6+ years of Facebook data and curate it to your current social identity's satisfaction? Set up LeechBlock as a Firefox Add-on and find out the exact amount of time you spend engaging in this preening. Seeing an actual number could be the first step to admitting, and curbing, this 21st century addiction. Once you're done curating your profile (and if you can set aside the fact that FB still has all of your data on its servers), set LeechBlock? 's timed surfing limits to prevent future lapses in Facebook judgment, and have the app redirect you to more meaningful sites of your choosing.

Or... Wait for a US "Cyworld Attack"

We could also adhere to the status quo, and remain willfully blind to the danger of handing over our data to Facebook and other for-profit Web conglomerates. When hackers attacked CyWorld, the most popular social networking site in South Korea, CyWorld? users felt an immediate, unified pain of having their banking information, social security numbers, and other extremely personal information captured. Why? The South Korean government and its Real Name and Cyber Verification Laws require all Internet users to provide this glut of information prior to accessing social Web sites. With each additional "like," FarmVille? token purchase, and Timeline milestone, we are voluntarily self-propelling towards a similar fate.

This draft works well
for readers who took the class, paid attention, and don't need any
further introduction to any of the issues. I hope we can say that's
the whole primary readership of the wiki. But for a wider
readership, if you were writing for one, the argument skips too many
steps and moves too quickly. Whether that's important to a revision
is entirely your call. For present purposes, there is little to
improve.

I am pleased that this draft went over well. I did listen in class, but for a while, it was extremely difficult for me to come up with "big picture policy statements." Now that I have been introduced to the other, free side of information law, I can definitely say that my perspective on the subject has broadened.

If I chose to improve this draft, what would be the deadline for me to do so?

Note: I probably won't be making changes to this draft during Spring Semester. I will add, however, that this class spurred me to permanently wipe out my Google Web History. Google has stepped up its Big Brother approach, and has centralized all of its products' data with a single, invasive privacy policy. No thanks.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.
To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

This site is powered by the TWiki collaboration platform. All material on this collaboration platform is the property of the contributing authors. All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.